.1 



(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(19) World Intellectual Property Organization 
International Bureau 

(43) International Publication Date 
23 October 2003 (23.10.2003) 



«1 



PCT 



1MU19IIIII1IIII1II1111H111 

(10) International Publication Number 

WO 03/088532 Al 



(51) International Patent Classification 7 : H04B 17/00 

(21) International Application Number: PCT/US03/1 1 107 

(22) International Filing Date: 1 1 April 2003 (1 1.04.2003) 



(25) Filing Language: 

(26) Publication Language: 

(30) Priority Data: 
60/371,938 



English 
English 

1 1 April 2002 (1 1.04.2002) US 



(71) Applicant (for all designated States except US): THE 
JOHNS HOPKINS UNIVERSFTY [US/US]; 34th and 
Charles Streets, Baltimore, MD 21218 (US). 

(72) Inventors; and 

(75) Inventors/Applicants (for US only): MUADDI, Albert 
B. [US/US]; 11215 Oak Leaf Drive, Apt 2013, Silver 
Spring, MD 20901 (US). TOMKO, Albert, A. [US/US]; 
2385 Steltz Road, New Freedom, PA 1 7349 (US). 



(74) Agents: ROCA, Benjamin, Y. et al.; The Johns Hopkins 
University, Applied Physics Laboratory, 1 1 100 Johns Hop- 
kins Road, Laurel, MD 20723-6099 (US). 

(81) Designated States (national): AE, AG, AL, AM, AT, AU, 
AZ, BA, BB, BG, BR, BY, BZ, CA, CH, CN, CO, CR, CU, 
CZ, DE, DK, DM, DZ, EC, EE, ES, FI, GB, GD, GE, GH, 
GM, HR, HU, ID, IL.IN, IS, JP. KB, KG, KP. KR. KZ. LC. 
LK, LR, LS, LT, LU, LV, MA, MD, MG, MK, MN, MW, 
MX, MZ, NI, NO, NZ, OM, PH, PL, PT, RO, RU, SC, SD, 
SB, SG, SK, SL, TJ, TM, TN, TR, TT, TZ, UA, UG, US, 
UZ, VC. VN. YU. ZA. ZM. ZW. 

(84) Designated States (regional): ARIPO patent (GH, GM, 
KE, LS, MW, MZ, SD, SL, SZ, TZ, UG, ZM, ZW), 
Eurasian patent (AM. AZ. BY. KG. KZ. MD. RU. TT, TM), 
European patent (AT, BE, BG, CH, CY, CZ, DE, DK, EE, 
ES, FI, FR, GB, GR, HU, IE, IT, LU, MC, NL, PT, RO, 
SE, SI, SK, TR), OAPI patent (BF, BJ, CF, CG, CI, CM, 
GA. ON, CxQ, OW, Ml ., MR. NE, SN, TD, TG). 



Published: 

— with international search report 



[Continued on next page] 



(54) Title: INTRUSION DETECTION SYSTEM FOR WIRELESS NETWORKS 



00 
m 

I 

DO 

m 

o 
O 

13 




Monitor-2 



OepJoyerf Ort Node- 



Adversary 



Fusion Station 



Monifor.1 





M3L 



Wimline Trunk 



*i3l 



1 





! Aiort Station 



pea 




McnRor-3 



*/> 

00 

to 
o 

O 



(57) Abstract: A method and system (fig. 2) for facilitating detection of intruders into a wireless network, through the use of 
physical layer anomalies. One or more monitoring stations (22, 24, 26) can be distributed across the potential intruder's signal 
transmission region. They process these transmissions and extract attributes of the signals, which can tlieii Uansuiil to one or more 
fusion stations (28), which correlate the calculated attributes with stored attributes of signals of known, authorized users of the 
network, and transmit alert messages in the case that these signal attributes do not match those of known, authorized users. Signal 
attributes in accordance with the instant invention include the carrier frequency, spurious emissions, and power-on and power-down 
Uamicuts. Also hi accuidance with ihc iiislajU invention are methods and systems using both direct and mullipath received signal 
strength, signal-to-noise ratio, and geometric characteristics such as direction/angle of arrival (AOA), time of arrival, position/range, 
time dispersion, Doppler shift and polarization. 
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TITLE OF THE INVENTION 
INTRUSION DETECTION SYSTEM FOR WIRELESS NETWORKS 



CROSS-REFERENCE TO RELATED APPLICATION 

[0001] This application claims priority to a provisional application entitled 
"Wireless Network Physical-layer Intrusion Detection System" filed in the United States 
Patent and Trademark Office on April 1 1, 2002 and assigned Serial No. 60/371,938, the 
contents of which are incorporated herein by reference. 

BACKGROUND OF THE PWENTION 

Field of the Invention: 

[0002] The present invention relates to an intrusion detection system for wireless 
networks. More specifically, it relates to a method for facilitating detection of intruders into 
a wireless network, through the use of physical layer anomalies. 

Description of the Related Art: 

■ 

[0003] The use of wireless networks in general, and wireless local area networks 
(WLANs) in particular, is expanding rapidly, and is now a viable technology for retail stores, 
hotels, airports, museums, convention centers and college campuses. Being wireless, these 
networks do not benefit from the same degree of physical security enjoyed by wired 

■ 

networks. However, these networks require robust security measures, for example, accurate 

monitoring tor both unintentional problems and intentional attacks, and intrusion detection 

systems are an important part of the network architecture. 

[0004] Existing intrusion detection systems rely chiefly on network layer and high 

layer protocol information as inputs to the system. Use of an IPSec client, MAC address 

authentication, and link layer integrity checks are some conventional techniques in use. 

While these approaches have utility, they also have limitations. In particular, higher level 

l 
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techniques such as these are often not robust against certain classes of attacks, for example, 
datagram spoofing. Spoofing is a class of techniques involving the creation of TCP/IP 
packets using someone else's IP address. More specific examples include techniques such as 
man-in-the-middle, routing redirect, source routing, blind spoofing and flooding. 

[0005] Thus, what is needed is a method and system in a wireless network for 
facilitating detection of intruders, which uses physical layer information, thus addressing and 
solving problems associated with conventional systems using only higher level information- 

SUMMARY OF THE INVENTION 
[0006] It is one object of the invention disclosed herein to provide a method and 
system for facilitating detection of intruders into a wireless network, which exploits physical- 
layer informalion. By physical layer 13 meant that layer of the network's protocol 
architecture concerned with the characteristics of the transmission medium, the nature of the 
signals, the data rate and related matters. 

[0007] The present invention is useful in a variety of applications, where datagram 
and related spoofing techniques are a concern. One technique employs one or more 
monitoring stations which may be distributed across the potential intruder's transmission 
region. These monitoring stations each receive signal transmissions from a local region of 
the wireless network. They process these transmissions and extract attributes of the signals. 
They then transmit the processed information (signal attributes) to one or more fusion 
stations. The fusion stations may correlate the calculated attributes with stored attributes of 
signals of known, authorized users of the network, and transmit alert messages in the case 
that these signal attributes do not match those of authorized users of the network. 

[0008] Signal attributes in accordance with the instant invention may include 
intrinsic signal characteristics, such as the carrier frequency, spurious emissions, and power- 
on and power-down transients. Also in accordance with the instant invention are methods 

2 

BNSDOCID: <WO O3088532A1 I > 



WO 03/088532 PCT/US03/1 1107 

and systems using both direct and multipath received signal strength (power), signal-to-noise 

# 

ratio, and geometric characteristics such as direction/angle of arrival (AOA), time of arrival, 
position/range, time dispersion, Doppler shift and polarization. 

[0009] Such signal attributes are generally random variables with time-varying 
statistics, hi general, these statistics will change with orientation, position and velocity of 
transmitter and receiver, motion of objects within propagation channel, and environmental 
conditions (e.g. precipitation, smoke, etc.) Therefore, specific implementations of this 
technique will typically require knowledge of the locations and signal characteristics of 
known, authorized users, and tuning of the algorithms to these specific details of the 
situation. 

[0010] An advantage of this technique is the ability to "fingerprinf * the signal 
produced by wireless chips. By analyzing and storing specific attributes of signals produced 
by specific chips, a new level of robustness against intrusion is provided. Intruders who are 
using different chips than those of known, authorized users may be detected, even though 
they may be able to pass undetected through higher layers of the network architecture 
security structure. 

[0011] Another advantage of this technique is the capability to identify an intruder 
by his geographic location. Geometric information may be used to identify an intruder's 
angle of arrival, range, or other information from which his location may be determined. 
Signals originating from a location different than that of known, authorized users may be 
evidence of an intruder. 

BRIEF DESCRIPTION OF THE DRAWINGS 
[0012] FIG. 1 is a graphical depiction of the layers of a network architecture, and 
their relationships to an intrusion detection system utilizing physical layer information; 

3 
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[0013] FIG. 2 is a graphical representation of an intrusion detection system in 

accordance with the present invention; 

[0014] FIG 3 displays four graphs of power-on transient signals captured from four 

PC cards; and 

[0015] FIG 4 shows an original/reconstructed signal of a Cisco PC card, and its 
wavelet transform. 

HET AILED DESCRIPTION OF EXEMPLARY EMBODIMENTS 
[0016] FIG. 1 is a graphical depiction of the layers of a network architecture, and 
their relationships to an intrusion detection system utilizing physical layer information. 
The specific-example here is of a TCP/IP over radio interface. 

[0017] Five potential architecture layers arc shown in FIG. 1. From top to bottom 
they can be categorized as the application, transport, network, datalink and physical layers. 
The focus of the present invention is on the physical layer, and the graphics depicts the 
analog RF signal entering the physical layer, prior to A/D conversion. The most complete 
intrusion detection system would gather evidence by utilizing all five of the architecture 
layers. Information from the various layers is fed into models and a decision is made as to 

the status of an intrusion. 

[0018] The present invention is useful in a variety of applications, where datagram 
and spoofing techniques are a concern. The technique may employ one or more monitoring 
stations which are distributed across the potential intruder's signal transmission region. 
These monitoring stations each receive signal transmissions from a local region of the 
wireless network. They process these transmissions and extract attributes of the signals. 
They then transmit the processed information (signal attributes) to one or more fusion 
stations. The fusion stations correlate the calculated attributes with stored attributes of 

4 
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signals of known, or authorized users of the network, and transmit alert messages in the case 

■ 

that these signal attributes do not match those of authorized users of the network. 

[0019] FIG* 2 is a graphical representation of an intrusion detection system in 
accordance with the instant invention. Of particular interest to the instant invention are the 
adversary 20, three monitoring stations 22, 24, 26, and a fusion station 28. The adversary's 
transmissions may be picked up by one or more monitoring stations, where the RF attributes 
are estimated and passed to a fusion station. The fusion station correlates this information to 
detect intrusions. If intrusion -is detected, alert packets are sent Note that this figure is for 
illustrative purposes only and the number of monitoring stations and fusion stations will vary 
with the specific network architecture. 

[0020] In one class of embodiments of the invention, the monitoring stations 
receive signals corresponding to powcr-on or power-down transients of the network 
participants. Attributes computed by the monitoring stations include characteristics of either 
Fourier or wavelet-based transforms of the power-on or power-down signals. The monitoring 

stations may transmit these calculated attributes to one or more fusion stations. The fusion 

stations then compare the Fourier or wavelet characteristics of the received signals with 
known Fourier or wavelet characteristics of authorized participants on the network. 
Anomalies, if detected, cause alert messages to be sent, to notify the appropriate persons or 
systems that an intruder may be present. 

[0021] FIG 3. Shows four graphs of power-on transient signals captured from four 
PC cards, two Lucent cards 30, 32 and two Cisco cards 34, 36. The graphs shown were 
obtained through digitization (at 25 MHz IF) of 50 samples of beacon transmission from each 
of the four cards. 

[0022] FIG 4. Shows an original/reconstructed signal of a Cisco PC card 40, and 
its wavelet transform 42. Of particular note is the feature of the Cisco card obtained through 
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the wavelet transform. This is an example of "fingerprinting'* of the cards, which can be used 
to determine a card which is not from a known, authorized user. 

[0023] An another embodiment, monitoring stations include a mixer and low power 
amplifier (LPF) that may obtain an intermediate frequency (IF) signal. Attributes computed 
by the monitoring stations include statistics on the IF signals in the time domain. These 
statistics include median, mean and standard deviation. The computed statistics are then 
transmitted to the fusion station, which compares them to similar stored statistics on signals 
from known users. Again, anomalies are detected and appropriate authorities are notified. 

[0024] In another embodiment, attributes computed by the monitoring stations may 
include direct path received power, and the ratio of (multipath) power received in-chip to 
direct path received power. These attributes are then transmitted to the fusion station, which 
compares them to stored statistics on signals from known users. These stored statistics may 
include the mean, median and standard deviation of the direct path received power and the 
ratio of (multipath) power received in-chip to direct path received power. Again, anomalies 
arc detected and appropriate authorities ore notified, 

[0025] In another embodiment, attributes computed by the monitoring stations 
include horizontal polarization and/or vertical polarization, and may also include direction of 
arrival and/or received power. These attributes are then transmitted to the fusion station, 
which compares them to stored statistics on signals from known users. These stored statistics 

r 

may include the mean, median and standard deviation of the horizontal polarization and/or 
vertical polarization, the direction of arrival and/or received power. Again, anomalies are 
detected and appropriate authorities may be notified. 

[0026] Although a specific form of embodiment of the instant invention has been 
described above and illustrated in the accompanying drawings in order to be more clearly 
understood, the above description is made by way of example and not as a limitation to the 
scope of the instant invention. It is contemplated that various modifications apparent to one 
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of ordinary skill in the art could be made without departing from the scope of the invention 
which is to be determined by the following claims. 
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What is claimed is: 



1 1 . A system for detecting intrusion into a wireless network, the system comprising: 

2 a monitoring station, having a first transceiver, the first transceiver comprising: 

3 a first receiver front end for receiving and demodulating a first signal, 

4 a first transmitter for sending a first communication, and 

5 a first processor coupled to said first receiver front end for processing the 

6 first signal, and coupled to said first transmitter for controlling the first 

7 transmitter; and ' 

8 a fusion station, having a second transceiver, the second transceiver comprising: 

9 a second receiver front end for receiving and demodulating said first 

1 0 communication; 

11 a second transmitter for sending a second conununicatiuii, and 

12 a second processor coupled to said second receiver front end for 

13 processing the first communication from said monitoring station, and said 

1 4 second processor coupled to the second transmitter for controlling the second 

1 5 transmitter. 

1 2 . The system of claim 1 , wherein 

2 the second processor stores attributes of an expected signal; 

3 the first receiver front end receives and demodulates the first signal; 

4 the first processor calculates attributes of the first signal; 

5 the first transmitter transmits the first communication containing the attributes of 

6 the first signal; 

7 the second receiver front end receives and demodulates the first communication; 
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9 
10 

11 

12 



the second processor compares the attributes of the first signal with the stored 

* ■ 

attributes of the expected signal to determine whether the attributes of the first signal 
deviate from the stored attributes of the expected signal; and 

the second transmitter transmits alert messages if the attributes of the first 
signal deviate from the stored attributes of the expected signal. 



1 3. The system of claim 2, wherein the second processor compares a frequency content of 

2 power-on transient of the first "signal, with a frequency content of power-on transient of the 

3 expected signal. 



1 4. The system of claim 2, wherpin the second processor compares a stored wavelet 

2 transform of power-on transient of the first signal, with a wavelet transform of power-on 

3 transient of the expected signal. 



1 5. The system of claim 2, wherein the second processor compares a frequency content of 

2 power-down transient of the first signal, with a frequency content of power-down transient of 

3 the expected signal. 



1 6. The system of claim 2, wherein the second processor compares a stored wavelet 

* 

* 

2 transform of power-down transient of the first signal, with a wavelet transform of power- 

3 down transient of the expected signal. 



1 7. The system of claim 2, wherein the second processor compares a median, mean, and 

2 standard deviation of an IF signal obtained from the first signal, with a median, mean and 

3 standard deviation of an IF signal obtained from the expected signal. 
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1 8. The system of claim 2, wherein the second processor compares a direct path received 

2 power from the first signal and a ratio of (multipath) power received in-chip to the direct path 

3 received power from the first signal, with a direct path received power from the expected 

4 signal and the ratio of (multipath) power received in-chip to the direct path received power 

5 from the expected signal. 



1 9. The system of claim 2, wherein the second processor compares polarization and direction 

2 of arrival of the first signal to polarization and direction of arrival of the expected signal. 

1 10. A method for intrusion detection into a wireless network comprising the steps of: 

2 monitoring a first signal havinjg attributes; 

3 receiving and demodulating a first signal having attributes; 

4 transmitting a first communication; 

5 receiving and demodulating the first communication; and 

6 sending a second communication. 

1 11. The method of claim 1 0, further comprising the steps of: 

2 storing an expected attribute of an expected signal; 

3 calculating an attribute of the first signal; 

4 comparing an attribute of the first signal with a stored attribute of the expected 

5 signal to determine whether the attribute of the first signal deviate from the stored 

■ 

6 attribute of the expected signal; and 

7 transmitting alert message if the attribute of the first signal deviate from the stored 

8 attribute of the expected signal. 
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1 12. The method of claim 11, wherein the attribute is a frequency content of power-on 

2 transient of the signal. 



1 13. The method of claim 11, wherein the attribute is a wavelet transform of power-on 

2 transient of the signal. 



1 14. The method of claim 1 1, wherein the attribute is a frequency content of power-down 

2 transient of the signal. 



1 15. The method of claim 1 1 , wherein the attribute is a wavelet transform of power-down 

2 transient of the signal. 



1 16. The method of claim 11, wherein the attribute is a calculated median, mean, or 

2 standard deviation of an IF signal obtained from the first signal. 



1 17. The method of claim 11, wherein the attribute is a calculated direct path received 

2 power from the signal and a ratio of (multipath) power received in-chip to the direct path 

3 received power from the signal. 



1 



18. The method of claim 11, wherein the attribute is a calculated polarization and direction 



2 of arrival of the signal. 



19. The method of claim 1 1, wherein an attribute includes one or more attributes. 
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